Image: Cato AI Labs
- Product: cursor
- Vulnerabilities: 2 flaws (CVE-2026-50548, CVE-2026-50549)
- Highest severity: 9.3 (Critical · CVSSv4)
- Worst impact: Desktop sandbox escape via agent-controlled working directory
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-50548 | 9.3 | Desktop sandbox escape via agent-controlled working directory | Not exploited |
| CVE-2026-50549 | 9.3 | Desktop sandbox escape via symlink and failed path canonicalization | Not exploited |
TL;DR
Cato AI Labs found a critical Cursor IDE RCE vulnerability. These bugs allow attackers to break out of the sandbox environment. Consequently, a threat actor can execute remote code on a victim’s machine.
Why It Matters
Cursor IDE is a popular development tool. The vendor claims it is used by over half of the Fortune 500. This zero-click flaw presents a massive risk. A remote attacker can take over local machines and connected cloud workspaces. Crucially, the exploit needs zero clicks from the developer. The victim only needs to process an unsafe prompt. Thus, everyday coding tasks become highly dangerous. Furthermore, Cato AI Labs states, “These vulnerabilities show how prompt injection can reach beyond the LLM layer.”
How the Attack Works
The DuneSlide attack exploits two separate architectural flaws. First, the sandbox builds security boundaries based on tool parameters. A prompt injection can change the working directory parameter. This action forces the sandbox to allow writes outside the safe zone. Attackers can then overwrite the core cursorsandbox binary.
Second, the IDE fails to handle symbolic links correctly. The canonicalization logic contains a dangerous fallback mechanism. If a path check fails, the system uses the original symlink path. Therefore, attackers create write-only symlinks to trick the agent. This allows them to overwrite critical system files. Both methods trigger the Cursor IDE RCE vulnerability. No official exploitation in the wild is confirmed yet.
Affected Versions and Mitigation Steps
Cursor 2.x versions include the vulnerable automatic terminal command execution. The sandbox runs by default without user approval. Currently, no public proof-of-concept exploit exists for CVE-2026-50548 or CVE-2026-50549. Users should read the DuneSlide report by Cato AI Labs for technical details. Developers must monitor vendor updates carefully. Disable automatic terminal execution if the tool permits it. Finally, restrict MCP servers and untrusted web inputs.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.